Some teams at the VA might have processes that require a separation of duties, where users can pull down releases and associated files, but should not be able to view or manipulate the original source code either remotely or locally. To meet this requirement, the project being audited will need two repositories: one for the project source code and another for the releases themselves.
Separate duties at the VA
To assist with the management of projects requiring separation of duties, we suggest following these measures to ensure ease of use:
- Duty-based teams appended with
-devs
,-auditors
, and-admins
-devs
teams will have write access to both the source code and distributions repositories-auditors
teams will have read access to the distributions repositories-admins
teams will have admin access to both the source code and distributions repositories- This team is responsible for repository settings
- Project repository naming conventions
- Create the source code repository and name as appropriate and set to private
- Assign
-devs
team to have write access - Assign
-admins
team to have admin access
- Assign
- Create the release-only with the same name as the source code repository, but append
-dist
(example:pharmx
andpharmx-dist
)- Assign
-devs
team to have write access - Assign
-auditors
team to have read access - Assign
-admins
team to have admin access
- Assign
- Create the source code repository and name as appropriate and set to private
README.md
additionsREADME.md
files should contain the related repository information (example: Source code: (link to repo) or Distributions: (link to-dist
repo))- Team information for each duty (example:
pharmx-devs
andpharmx-auditors